b"      United States Department of Agriculture\n\n\n\n\nOffice of Inspector General\nManagement and Security Over\nUSDA's Universal\nTelecommunications Network\n\n\n\n\n                                       88501-0002-12\n                                       July 2014\n\x0c\x0c                                     Management\xc2\xa0and\xc2\xa0Security\xc2\xa0Over\xc2\xa0USDA\xe2\x80\x99s\xc2\xa0Universal\xc2\xa0\n                                            Telecommunications\xc2\xa0Network\xc2\xa0\n                                                                     \xc2\xa0\n                                                    Audit\xc2\xa0Report\xc2\xa088501-0002-12\xc2\xa0\n\nWhat Were OIG\xe2\x80\x99s\n\nObjectives\n\nWe conducted an audit of the\nUTN to obtain reasonable\nassurance that the system was\nconfigured, managed, and\nsecured in accordance with       OIG\xc2\xa0examined\xc2\xa0whether\xc2\xa0the\xc2\xa0USDA\xc2\xa0Universal\xc2\xa0\napplicable guidance. We also     Telecommunications\xc2\xa0Network\xc2\xa0(UTN)\xc2\xa0was\xc2\xa0\nreviewed the task order and      properly\xc2\xa0configured,\xc2\xa0managed,\xc2\xa0and\xc2\xa0secured,\xc2\xa0\nbilling to determine whether\nGovernment funding had been      and\xc2\xa0if\xc2\xa0its\xc2\xa0task\xc2\xa0order\xc2\xa0with\xc2\xa0AT&T\xc2\xa0was\xc2\xa0properly\xc2\xa0\nproperly managed, expended,      implemented.\xc2\xa0\nand monitored.\n                                 What OIG Found\nWhat OIG Reviewed\n\nWe reviewed selected UTN         In 2010, USDA signed a multi-year task order with AT&T to provide\ncontrols and related policies    the Universal Telecommunications Network (UTN), the data network\nand procedures to determine if   backbone for its customers and agencies. We found that USDA is not\nthey were suitable and           adequately overseeing UTN security and performance. The Office of\nconformed to NIST                the Chief Information Officer (OCIO) staff concentrated on the\nrequirements and whether         operational aspects of the UTN, without placing adequate emphasis\nbilling for the services         on security and task order management, and the contracting officer\nprovided was in accordance       (CO) from the Office of Procurement and Property Management\nwith Government                  (OPPM) was not familiar with the task order. We also found that\nAccountability Office internal   AT&T had not yet installed required network security features. This\ncontrol standards.               occurred because OCIO lacked sufficient controls to ensure that all\n                                 task order provisions were met\xe2\x80\x94for instance, the responsible CO did\nWhat OIG Recommends              not have a copy of the task order 6 months after it was assigned to\n                                 him. Past OIG audit recommendations were also not adequately\nOCIO and OPPM should             addressed. As a result, USDA faces an increased risk of sensitive\nstrengthen their internal        information being lost, disclosed, altered, or destroyed, and is paying\ncontrols over task order         for task order services that are not being provided.\nadministration, take steps to\nenhance communication with\nAT&T, ensure AT&T meets          OCIO did not perform an adequate reconciliation of UTN charges,\ntask order obligations, and      and reconciliation procedures were inadequate and outdated. As a\ndevelop new procedures to        result, an AT&T audit requested by OCIO found it had both\naddress security weaknesses.     overbilled and under-billed USDA for an aggregate total of more than\nThe agencies should also seek    $1.9 million. Even after becoming aware of this, OCIO did not fix the\nreimbursement for the            discrepancies and AT&T continued to overbill almost $90,000 in\namounts AT&T overbilled.         subsequent months. OCIO and OPPM have agreed to all of the\n                                 findings and recommendations, and we have reached management\n                                 decision on 19 of the 21 recommendations.\n\x0c\x0c                           United States Department of Agriculture\n                                  Office of Inspector General\n                                   Washington, D.C. 20250\n\n\nDATE:          July 17, 2014\n\nAUDIT\nNUMBER:        88501-0002-12\n\nTO:            Cheryl L. Cook\n               Chief Information Officer\n               Office of the Chief Information Officer\n               ATTN: Christopher Wren\n\n               Lisa A. Wilusz\n               Director\n               Office of Procurement and Property Management\n               ATTN: Lennetta Elias\n\nFROM:          Gil H. Harden\n               Assistant Inspector General for Audit\n\nSUBJECT:       Management and Security Over USDA\xe2\x80\x99s Universal Telecommunications Network\n\n\nThis report presents the results of the subject audit. Your written response, dated May 21, 2014,\nis included in its entirety at the end of the report. Excerpts from your response and the Office of\nInspector General\xe2\x80\x99s (OIG) position are incorporated in the relevant sections of the report. Based\non your May 21, 2014, response, and subsequent correspondence received on June 23, 2014 and\nJune 30, 2014, we accept management decision on Recommendations 1-17, 19 and 21.\nManagement decision has not been reached on Recommendation 18 and 20. To reach\nmanagement decision on these recommendations, please see the relevant OIG Position section in\nthe audit report.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days,\ndescribing the corrective actions taken or planned, and timeframes for implementing the\nrecommendation for which management decision has not been reached. Please note that the\nregulation requires management decision to be reached on all recommendations within 6 months\nfrom report issuance, and final action to be taken within 1 year of each management decision to\nprevent being listed in the Department\xe2\x80\x99s annual Agency Financial Report. Please follow your\ninternal agency procedures in forwarding final action correspondence to the Office of the Chief\nFinancial Officer.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions. This report contains publically available\ninformation and will be posted in its entirety to our website (http://www.usda.gov/oig) in the\nnear future.\n\x0c\x0c Table of Contents\nBackground and Objectives ....................................................................................1\nSection 1: UTN Management .................................................................................3\nFinding 1: OCIO Could Better Optimize its Oversight of UTN .........................3\n         Recommendation 1 ........................................................................................ 6\n         Recommendation 2 ........................................................................................ 7\n         Recommendation 3 ........................................................................................ 7\n         Recommendation 4 ........................................................................................ 8\n         Recommendation 5 ........................................................................................ 8\n         Recommendation 6 ........................................................................................ 9\n         Recommendation 7 ...................................................................................... 10\n         Recommendation 8 ...................................................................................... 10\n         Recommendation 9 ...................................................................................... 10\nFinding 2: OCIO and OPPM Need to Ensure all Task Order Requirements\nAre Met ...................................................................................................................12\n         Recommendation 10 .................................................................................... 13\n         Recommendation 11 .................................................................................... 14\n         Recommendation 12 .................................................................................... 14\n         Recommendation 13 .................................................................................... 15\nSection 2: Billing Process .....................................................................................16\nFinding 3: OCIO Needs to Reconcile UTN Expenditures More Effectively ....16\n         Recommendation 14 .................................................................................... 18\n         Recommendation 15 .................................................................................... 18\n         Recommendation 16 .................................................................................... 19\n         Recommendation 17 .................................................................................... 19\n         Recommendation 18 .................................................................................... 20\n         Recommendation 19 .................................................................................... 20\n         Recommendation 20 .................................................................................... 20\n         Recommendation 21 .................................................................................... 21\nScope and Methodology.........................................................................................22\nAbbreviations .........................................................................................................23\nEXHIBIT A\xe2\x80\x94Summary of Monetary Results ....................................................24\nEXHIBIT B\xe2\x80\x94Prior Audit Recommendations ....................................................25\nAgency's Response .................................................................................................27\n\x0c\x0cBackground\xc2\xa0and\xc2\xa0Objectives\xc2\xa0\nBackground\nThe U.S. General Services Administration (GSA) entered into the Networx contract with various\nservice providers1 to deliver telecommunication services to all Federal agencies that wanted to\nparticipate. In July 2010, USDA awarded a task order using the GSA Networx contract with\nAT&T for Department-specific services, having a total value of $350.9 million.2 USDA\xe2\x80\x99s Office\nof Procurement and Property Management (OPPM) is responsible for oversight of the\nTelecommunications (Telecomm) task order.\n\nThe Office of the Chief Information Officer\xe2\x80\x99s (OCIO) Enterprise Network Service\xe2\x80\x99s (ENS)\nmission is to plan, implement, manage, and maintain USDA\xe2\x80\x99s enterprise telecommunications\nprogram. Its mission statement includes a commitment to deliver streamlined, secure, and\nsupportable products and services that are specifically tailored to its users. The Telecomm task\norder terms state that ENS is responsible for administering and managing the Telecomm task\norder and monitoring USDA telecommunications security, operations, and governance. ENS\nperforms the contracting officer\xe2\x80\x99s representative (COR) duties for the Telecomm task order.\n\nUSDA\xe2\x80\x99s Universal Telecommunications Network (UTN) is the data network backbone for\nUSDA customers and agencies. The UTN is comprised of two trusted internet connections\n(TIC),3 located in Washington, D.C., and San Francisco, California, and 16 customer edge router\n(CER)4 locations strategically placed throughout the country. Each TIC provides internet\nconnectivity for roughly half of the Department and has the capability to provide connectivity to\nthe entire Department during a failure of one TIC. The TIC initiative allowed USDA to reduce\nand consolidate external access points across the Department, manage the security requirements,\nand establish a compliance program to monitor Department and agency adherence to TIC policy.\nThe CER locations further extend the TIC benefits and security to local USDA users located\nthroughout the country by consolidating network connectivity for multiple agencies.\n\nThe Telecomm task order allows USDA agencies to procure additional telecommunication\nservices directly from AT&T, such as additional internal communication equipment and lines,\nneeded to conduct business. USDA has the option of having these services managed by AT&T\nor un-managed. If un-managed, the agency is responsible for the administration of equipment,\n\n\n1\n  The service providers under the Networx contract are: AT&T, CenturyLink Inc., Level 3 Communications, Sprint\nCorporation, and Verizon Communications.\n2\n  The original Networx contract term lasted from May 2007-May 2011, with three additional 2-year extension\noptions for a total of 10 years. USDA\xe2\x80\x99s Telecomm task order was signed in 2010 and will last for the remaining\n7 years or until the $350.9 million is expended.\n3\n  The purpose of the TIC initiative, as outlined in OMB Memorandum M-08-05, dated November 20, 2007, is to\noptimize and standardize the security of individual external network connections currently in use by Federal\nagencies, including connections to the Internet. The initiative will improve the Federal Government's security\nposture and incident response capability through the reduction and consolidation of external connections and\nprovide enhanced monitoring and situational awareness of external network connections.\n4\n  The CER is a router located on USDA\xe2\x80\x99s premises that provides a connection between USDA and AT&T\xe2\x80\x99s\nnetworks. In USDA\xe2\x80\x99s instance it is between multiple agencies and the TIC.\n\n                                                                       AUDIT REPORT 88501-0002-12                1\n\x0cservices, and reconciliation of the bills. The UTN portion of the Telecomm task order is\nmanaged services provided by AT&T and overseen by ENS. Telecommunication services\nprocured by USDA\xe2\x80\x99s individual agencies were not included in the scope of this audit.\n\nBilling is handled through AT&T\xe2\x80\x99s Business Direct, which was created as a secure web-based\nportal providing access to a suite of ordering, billing, and maintenance tools. AT&T Business\nDirect is designed to give Government customers 24x7 access to and control over their Networx\nservices and, in USDA\xe2\x80\x99s case, control over its Telecomm task order from any internet-enabled\npersonal computer. A standardized flow for each type of billing process should ensure that task\norder activities and data exchanges are handled reliably for all service types and are in full\ncompliance with Government requirements for direct and centralized billing.\n\nIn August 2006, OIG conducted an audit of the Management and Security Over the\nU.S. Department of Agriculture Universal Telecommunications Network.5 The report identified\nweaknesses in OCIO\xe2\x80\x99s ability to effectively manage and secure this Department-critical general\nsupport system. OCIO has taken some actions to address the weaknesses we identified in 2006.\n\nObjectives\n\nWe conducted an audit of the UTN to obtain reasonable assurance that the system was\nconfigured, managed, and ultimately secured in accordance with Departmental, Office of\nManagement and Budget (OMB), and National Institute of Standards and Technology (NIST)\nguidance. Additionally, we performed a review of the Telecomm task order and billing to\ndetermine whether Government funding had been properly managed, expended, and monitored\nin accordance with the Government Accountability Office\xe2\x80\x99s Standards for Internal Control.\n\n\n\n\n5\n  OIG identified several UTN security and operational issues in 88501-0006-FM, Management and Security Over\nthe U.S. Department of Agriculture Universal Telecommunications Network (August 2006).\n\n2    AUDIT REPORT 88501-0002-12\n\x0cSection\xc2\xa01:\xc2\xa0\xc2\xa0UTN\xc2\xa0Management\xc2\xa0\nFinding 1: OCIO Could Better Optimize its Oversight of UTN\nWe found that OCIO is not adequately overseeing the security and performance of the UTN.\nThis occurred because OCIO concentrated on the operational aspects of the UTN, without\nadequate emphasis on security and management. OCIO has not developed and implemented the\nnecessary policies and procedures to ensure inconsistencies and vulnerabilities on USDA\xe2\x80\x99s\nnetwork are identified and remediated timely; contingency plans are adequate; equipment\ninventories are maintained; or that AT&T met all Telecomm task order requirements, such as all\ncontractor employees having the necessary security clearances. In addition, OCIO has not\neffectively implemented all prior UTN audit recommendations from OIG\xe2\x80\x99s August 2006 audit\n(see Exhibit B). As a result, USDA's telecommunications system faces an increased risk of\nsensitive information being lost, disclosed, altered, or destroyed.\n\nUSDA\xe2\x80\x99s Telecomm task order stipulates that OCIO has primary oversight and coordinates with\nthe contractor for installation, implementation, monitoring, management, problem resolution,\nmaintenance, and repair of the UTN. The Federal Information Security Management Act\n(FISMA) emphasizes the need for each agency to develop, document, and implement an\nenterprise-wide program to provide information security for all its information systems,\nincluding those systems provided or managed by a contractor. However, the COR noted \xe2\x80\x9ca lack\nof communications by and with AT&T regarding security services or requirements, poor\nprogrammatic to track the progress of the security services, and the need to send a clarification\nmemo to AT&T to strengthen both.\xe2\x80\x9d\n\nFor instance, although the Information Systems Security Program Manager (ISSPM) created\neight plans of action and milestones (POA&Ms) to address some known problems, over\n6 months later, seven POA&Ms were not approved by managers and were not being worked. As\nof June 2014, all eight POA&Ms have been approved, five are currently in progress and being\naddressed, and three are delayed. This occurred because security was not properly integrated\ninto the UTN operational processes.\n\nIn addition, when the UTN\xe2\x80\x99s service was updated in 2011, OCIO did not adequately implement\nall previous OIG recommendations when establishing its new Telecomm task order for the UTN\nservices. While OCIO did substantially improve its firewalls in response to a 2006 OIG audit\nrecommendation, it did not appropriately ensure that all of the necessary security measures were\nincluded in the current Telecomm task order for the UTN. Specifically, OCIO has not ensured\nthat the firewall rule sets at the two TIC locations were consistent and it has not effectively\nimplemented failover testing procedures.6\n\n\n\n\n6\n  Failover testing procedures outline the steps needed to continue communication when a failure of a device or\ntelecommunication line occurs. The task order requires AT&T to test these procedures annually.\n\n                                                                          AUDIT REPORT 88501-0002-12             3\n\x0cDuring this audit we identified the following issues:\n\n         System Settings\xe2\x80\x94OCIO did not periodically review or synchronize the firewalls and\n         website filters at the two TIC locations.7 In addition, there were conflicting website filter\n         rules at USDA\xe2\x80\x99s TIC sites and some rules were written incorrectly. For instance, one\n         request for a filter exception was meant to allow a single user to access a certain website;\n         however, we found the exception was written to allow the entire Department to access the\n         site. ENS stated that it reviews and optimizes the firewall rules and website filters when\n         it updates the settings. However, staff did not perform formal, comprehensive reviews of\n         the website filters, and did not have an automated method to reconcile the voluminous\n         firewall rules to ensure they were synchronized. These settings must remain\n         synchronized for normal operations and disaster recovery to ensure security measures are\n         applied consistently across the entire Department and not just for users at one TIC.\n         Without adequate firewall rules and website filters, USDA personnel could potentially\n         download malicious software.8\n\n         Scans and Vulnerabilities\xe2\x80\x94USDA\xe2\x80\x99s Telecomm task order requires AT&T to perform\n         monthly security scans to identify vulnerabilities on all devices, and notify USDA as\n         soon as it becomes aware of an issue. We found that AT&T was not scanning 40 of\n         229 devices on a monthly basis. AT&T did not have these 40 devices on the inventory it\n         was using to scan. The inventory was outdated and AT&T was not performing discovery\n         scans that would have created an up-to-date listing. Discovery scans will identify all\n         active devices on a network, even those not on an inventory. Instead, AT&T based its\n         vulnerability scans on an outdated list of devices, which did not include these 40 devices.\n\n         In addition, we noted 21 vulnerabilities were not remediated in a timely manner, 18 of\n         which were overdue by at least 60 days. We found three vulnerabilities were missing\n         patches that AT&T should have applied and had documented these patches as issues\n         needing resolution. Without continuous monitoring of vulnerability scans and patch\n         management, the network could be compromised with malware in the event of an attack.\n\n         Governmentwide Security Standards\xe2\x80\x94NIST provides mandatory minimum physical\n         and environmental security standards for Government systems. We visited the 2 TIC\n         sites and 6 of 16 CER sites and found a total of 32 instances where standards were not\n         met. For example, we found both TIC sites and three CER sites either did not keep\n         physical visitor logs or review them on a regular basis. Given that sites sometimes have\n         different security needs, OCIO should evaluate each site and determine a set of minimum\n         physical and environmental controls based on cost and risk.\n\n\n\n\n7\n  Firewall rules block or allow specific traffic passing through from one side of the router to the other. Inbound\nrules restrict access by outsiders to private resources, selectively allowing only specific outside users to access\nspecific resources. Outbound rules determine what outside resources local users can have access to. Website filters\nblock access to certain websites based on USDA requests.\n8\n  Malicious software, or malware, refers to software designed specifically to damage or disrupt a system, such as a\nvirus or a Trojan horse.\n\n4     AUDIT REPORT 88501-0002-12\n\x0c         Contingency Planning\xe2\x80\x94Although required by the Telecomm task order, we found\n         AT&T did not test its contingency plan for the UTN in 2012, and that 13 of\n         23 contingency plan requirements remained unfulfilled. Since 2011 ENS has not\n         conducted a test to verify that sufficient capacity exists at each TIC location. In the event\n         that one TIC fails, the other site must handle all USDA traffic and must be sized\n         adequately during peak usage. ENS considers failing the machines over during off-peak\n         maintenance periods as sufficient testing; however, this does not meet NIST requirements\n         for Federal agencies to test and exercise contingency plans for information systems, to\n         review the contingency plan test/exercise results, and initiate corrective actions.9\n\n         In two actual failovers that occurred during normal working hours in 2013, the bandwidth\n         capacity was sufficient to avoid a total shutdown failure. However, peak internet traffic\n         during the failovers reached approximately 98 percent and 92 percent of the available\n         bandwidth\xe2\x80\x94coming so close to capacity risks performance degradation and information\n         loss. These high utilization rates occurred because the existing communication lines had\n         not been sized to ensure optimum bandwidth; since these outages, OCIO stated it has\n         increased the bandwidth of the communications lines. By not meeting the key\n         requirements of contingency and failover testing, USDA\xe2\x80\x99s network is at risk of failure in\n         the event of a disaster.\n\n         Equipment Tracking\xe2\x80\x94AT&T does not maintain an accurate inventory of the UTN\n         devices. An accurate and up-to-date inventory, controlled by active monitoring and\n         configuration management, can reduce the chance of attackers finding unauthorized and\n         unprotected systems to exploit. Also, old, unused equipment that has been replaced by\n         the new TIC equipment still contains sensitive USDA data because it has not been\n         scrubbed.\n\n         Security Clearances\xe2\x80\x94We found that OCIO was not adequately monitoring task order\n         required clearances. The Telecomm task order required that AT&T personnel having\n         access to USDA data have, at a minimum, a secret level clearance with a background\n         investigation. However, we identified 167 out of 370 contractors working on the UTN\n         who did not have a secret level security clearance, as required. As a result of our review,\n         OCIO and AT&T modified the Telecomm task order in November 2013 to require a\n         Public Trust Level 6 background investigation, rather than a secret level security\n         clearance.10 OCIO needs to determine whether all AT&T contractors accessing UTN\n         systems have successfully passed the required background investigation.\n\n         Contractor Access\xe2\x80\x94OCIO did not track contractors supporting the UTN. We found\n         that neither AT&T nor OCIO could provide OIG an accurate listing of all AT&T\n         personnel working on the UTN. USDA did not know which AT&T contractors had been\n         given access to USDA systems and the level of access each contractor had been provided.\n         As a result, sensitive data and systems could be at risk if accessed by unscrupulous\n\n9\n  NIST Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, August 2009.\n10\n   Public Trust is a designation for positions which require a high degree of integrity with public confidence in the\nindividual occupying the position. Level 6 means \xe2\x80\x9chigh-risk.\xe2\x80\x9d\n\n                                                                            AUDIT REPORT 88501-0002-12                  5\n\x0c       persons. OCIO needs to work with AT&T to develop a process so that OCIO always has\n       an up-to-date list of AT&T personnel supporting the UTN.\n\nDespite OCIO being aware of some of the issues described above, it did not take sufficient\nactions to address them. ENS' ISSPM had created eight POA&Ms to address various network\nsecurity issues we found in this audit. Yet when we began our audit, seven of the eight open\nplans were not approved by management, and one was being actively worked. OCIO has since\napproved all eight plans, five of which are progressing, while three are delayed. As noted earlier,\nthis occurred because of the emphasis on operations over security. NIST SP 800-53 requires that\norganizations approve configuration-controlled changes to the system, with explicit\nconsideration for security impact analyses, and that the organization analyzes changes to the\ninformation system to determine potential security impacts prior to change implementation.\n\nIn May 2013, the Contracting Officer (CO) for the Telecomm task order sent a letter noting some\ncommunication problems between AT&T and OCIO, stating that both parties needed to ensure\nthey have appropriate guidance and direction through approved channels. Later, in July 2013,\nOCIO brought the issues in our audit to the attention of AT&T management, who said they are\n\xe2\x80\x9ccommitted to supporting USDA\xe2\x80\x99s desire to resolve issues and strengthen network service\ndelivery.\xe2\x80\x9d\n\nWhile meeting with AT&T and approving POA&Ms are positive steps, we believe that OCIO\nneeds to take additional actions to more effectively address security and management issues,\nincluding developing and implementing new security procedures and improving its\ncommunications with AT&T.\n\nRecommendation 1\nOCIO needs to ensure the ISSPM is integrated into all aspects of the UTN project and that all\nsecurity decisions are documented.\n\nAgency Response\n\nIn the audit report response, dated May 21, 2014, OCIO ENS accepted this recommendation\nand stated that ENS will complete a project to ensure that the ISSPM is integrated into all\naspects of the UTN with the following milestones:\n\n    ENS will establish a policy to define the ISSPM role within the UTN change\n    management process, related projects and POA&M management, and ensure all\n    security decisions are documented. Target Completion Date: July 30, 2014.\n\n    ENS COR will prepare language changes and request the OPPM Procurement\n    Operations Division ( POD) CO modify the AT&T Networx contract to establish a\n    project plan that will incorporate the ISSPM into all phases of UTN management\n    requiring ISSPM review and/or approval. Target Completion Date: July 30, 2014.\n\n\n\n6    AUDIT REPORT 88501-0002-12\n\x0c   ENS will oversee the completion of the implementation of a Change Management\n   Procedure consistent with the new ISSPM policy. Target Completion Date:\n   September 30, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 2\nOCIO needs to develop, document, and implement procedures to ensure that a security impact\nanalysis is performed on all changes to the UTN services prior to implementation.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS will complete a project to ensure a security\nimpact analysis is performed on all changes to the UTN with the following milestones:\n\n   ENS will modify the Change Management Procedure for the UTN to integrate a security\n   impact analysis. Target Completion Date: July 30, 2014.\n\n   The ENS COR will prepare language changes and request the OPPM POD CO modify the\n   AT&T Networx contract to incorporate the revised change management procedure in the\n   contract deliverables. Target Completion Date: September 30, 2014.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 3\n\nOCIO needs to develop and implement procedures to synchronize the firewall rule sets and\nwebsite filters so that consistency is maintained at the two TIC locations. Review the rule sets\nand filters on a routine basis, at least annually, and automate the procedures for better continuous\nmonitoring.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS will complete a project to address the\nrecommendations regarding the accuracy of the security policies and ongoing maintenance\nwith the following milestones:\n\n   ENS will implement a Security Policy Verification procedure and a URL [Uniform Resource\n   Locator] Filter Exception procedure to ensure security policies are consistent across the\n\n                                                               AUDIT REPORT 88501-0002-12          7\n\x0c    UTN, and continuous monitoring in place that will review rule sets and filters at least\n    annually to ensure all security policies remain consistent and relevant to the USDA mission.\n    Target Completion Date: November 30, 2014.\n\n    ENS will recertify all existing URL filtering exceptions requested by the agencies to date.\n    Target Completion Date: April 15, 2015.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 4\nOCIO needs to develop and implement controls, including discovery scans, to ensure all network\ndevices are scanned on a monthly basis. In addition, develop and implement a process to timely\nremediate vulnerabilities and apply software patches according to Departmental guidance.\n\nAgency Response\nOCIO ENS accepts this recommendation. ENS will complete a project to ensure adequate\nsecurity controls are in place regarding discovery and vulnerability scans, including remediation,\nfor the UTN with the following milestones:\n\n    ENS will establish a Security Discovery, Scanning, and Remediation Procedure to address\n    all processes mentioned in the OIG recommendation. Target Completion Date:\n    July 30, 2014.\n\n    The ENS COR will prepare language changes and request the OPPM POD CO to modify\n    the AT&T Networx contract to incorporate the Security Discovery, Scanning, and\n    Remediation procedure as part of the contract performance. Target Completion Date:\n    October 30, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 5\nOCIO needs to develop and implement the minimum physical and environmental controls\nrequired for each UTN site based on the security risk and priority of the site.\n\n\n\n\n8    AUDIT REPORT 88501-0002-12\n\x0cAgency Response\n\nOCIO ENS accepts this recommendation. ENS will complete a project to ensure UTN sites meet\nthe minimum physical and environment controls with the following milestones:\n\n   ENS will evaluate and select one of two courses of action to address the recommendation.\n   OCIO management will approve either the replacement of the current Internet Service with\n   an existing MTIPS [Managed Trusted Internet Protocol Service] service that meets all\n   recommendations, or to bring the current Internet Service in compliance with the contract.\n   Target Completion Date: December 30, 2014.\n\n   The ENS COR will prepare language changes and request the OPPM POD CO to modify the\n   AT&T Networx contract to request a technical solution for the course of action selected.\n   ENS will complete all acquisition and contracting activities necessary to fund and initiate the\n   plan. Target Completion Date: July 30, 2015.\n\n   ENS will evaluate the proposed technical solution and the ENS COR will work with the\n   OPPM POD Contracting Officer to negotiate the award of the final technical solution.\n   Target Completion Date: December 30, 2015.\n\n   ENS will oversee the completion of construction and development of the final technical\n   solution. Target Completion Date: June 30, 2016.\n\n   ENS will complete Agency transition to the final technical solution. Target Completion\n   Date: January 30, 2017.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 6\n\nOCIO needs to develop and implement procedures to perform disaster recovery/failover tests, at\nleast annually.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS has completed a disaster recovery test of the TIC\nportals and will continue to do so annually. ENS will provide supporting artifacts to OIG to\ndemonstrate completion of the disaster recovery test and provide updated procedure\ndocumentation to ensure the annual completion of the testing. Completion Date:\nMarch 15, 2014.\n\n\n\n                                                              AUDIT REPORT 88501-0002-12         9\n\x0cOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 7\nOCIO needs to develop and implement oversight procedures for inventory management.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS will establish a procedure for oversight of UTN\ninventory managed by contractors. Completion Date: October 31, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 8\nOCIO needs to develop and implement a plan to remove and purge unused equipment from the\nUTN infrastructure.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS has completed the removal and purge of unused\nequipment within the UTN TIC infrastructure. ENS will provide supporting artifacts to OIG to\ndemonstrate completion. Completion Date: December 19, 2013.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 9\nOCIO and OPPM need to develop and implement procedures to ensure all personnel working on\nthe Telecomm task order are identified and have the required background investigation.\n\nAgency Response\nIn the audit report response, dated May 21, 2014, and a subsequent correspondence on June 23,\n2014 OCIO ENS and OPPM POD stated that they accept this recommendation. ENS will\nrecommend to the OPPM POD CO to implement a project that ensures all personnel working\non the UTN task order are identified and have completed all required background checks with\nthe following milestones:\n\n10    AUDIT REPORT 88501-0002-12\n\x0c   ENS COR will issue a request to the AT&T contract authority for a current listing of all\n   AT&T personnel assigned to the USDA AT&T Networx task order, and their respective\n   clearance level(s) with a due date of July 31, 2014. Completion Date: June 30, 2014.\n\n   ENS will establish a UTN Contractor Investigation procedure with AT&T. Completion\n   Date: December 30, 2014.\n\n   ENS will complete the identification and investigation of all contractor staff working under\n   the telecom task order. Completion Date: April 15, 2015.\n\nOIG Position\nWe accept OCIO and OPPM\xe2\x80\x99s management decision for this recommendation.\n\n\n\n\n                                                            AUDIT REPORT 88501-0002-12            11\n\x0cFinding 2: OCIO and OPPM Need to Ensure all Task Order Requirements\nAre Met\nWe found network security features required by the Telecomm task order that AT&T had not\ninstalled in the 3 years since the Telecomm task order was signed. Specifically, some required\nnetwork features were not complete, and security and data loss prevention measures were not\nfully implemented. This occurred because the previous CO and COR lacked the necessary\ncontrols to ensure that all security provisions required by the Telecomm task order were met.\nNeither the previous COR and CO nor the current CO had a methodology for monitoring\nAT&T's compliance with the Telecomm task order. In addition, both the current COR and CO\nwere newly assigned to the Telecomm task order and the CO was unaware of some of the\nrequirements. The CO stated that he did not have a copy of the Telecomm task order, even after\nbeing assigned to it for 6 months. The CO stated that his Division was short-staffed and he had\nnot yet had time to address the Telecomm task order.\n\nAs a result of inadequate oversight, we found that USDA is paying for UTN services that are not\nbeing provided. USDA might be missing cost saving opportunities if the CO finds that task\norder relief is appropriate in these situations. Failure to implement required security measures\nincreases the risk that sensitive USDA information could be compromised. OPPM needs to\ndevelop and implement procedures for reassigning contracts and task orders to COs to ensure\nthey are provided relevant materials, understand their responsibilities, and monitor the contractor\nperformance.\n\nThe Federal Acquisition Regulation states that COs are responsible for ensuring performance of\nall necessary actions for effective contracting and compliance with the terms of the Telecomm\ntask order. Additionally, the Telecomm task order requires OCIO to take specific measures to\nensure the UTN is secure. The particular issues we identified are detailed below:\n\n         Security Functions\xe2\x80\x94The Telecomm task order requires that a virtual private network\n         (VPN) be implemented for external connections, such as teleworking from home, as well\n         as an intrusion prevention system (IPS)11 that blocks harmful activity.12 However, we\n         found that the implemented VPN was not being utilized by all USDA agencies. Also, the\n         IPS was not enabled. Without these systems in place, unauthorized access to USDA\n         systems and potentially harmful activity could occur without being identified and\n         blocked.\n\n         Data Loss Prevention\xe2\x80\x94Despite being included in the Telecomm task order as a\n         requirement three times, AT&T did not install or implement a data loss prevention (DLP)\n         solution for the UTN.13 Also, OCIO was not aware that a DLP solution was required by\n         the Telecomm task order until OIG brought it to their attention. When OCIO asked\n\n11\n   An IPS monitors network traffic and provides a preemptive approach to network security used to identify potential\nthreats and respond to them proactively.\n12\n   A VPN is a network that uses a public telecommunication infrastructure, such as the internet, to provide remote\noffices or individual users with secure access to their organization's network.\n13\n   Data loss prevention is a strategy for making sure that users do not send sensitive or critical information outside of\ntheir network.\n\n12     AUDIT REPORT 88501-0002-12\n\x0c       AT&T about this issue, AT&T was reluctant to provide the services. When OIG asked\n       why, OCIO stated that there were two causes; the first was \xe2\x80\x9ca combination of general\n       Networx contract capability limitations and installation delays,\xe2\x80\x9d and the second was a\n       dispute with AT&T over the capabilities of the DLP solution. This is still awaiting\n       resolution. Without a functioning DLP solution, sensitive data is at risk for exposure\n       outside of USDA.\n\n       Two-Factor Authentication\xe2\x80\x94Departmental Regulations (DR) state that all methods of\n       remote access to USDA networks must use a two-factor authentication mechanism,\n       which typically involves a physical token, such as a card, and something that is\n       memorized, such as a security code. In signing the Telecomm task order, AT&T agreed\n       to provide and support two-factor authentication access to the UTN network devices.\n       However, we found that AT&T network administrators were not using two-factor\n       authentication when managing the UTN network devices, even though it is a task order\n       requirement. ENS stated that this has been an ongoing issue, and though its security\n       officer has been working to implement a two-factor solution, AT&T\xe2\x80\x99s project\n       management office has not yet addressed this security vulnerability. Without two-factor\n       authentication, there is an increased risk of unauthorized access to the UTN and its\n       components.\n\nWhile OCIO has taken actions on some of the above issues, it has not effectively or timely\nimplemented the terms of the Telecomm task order, as these vulnerabilities still exist. For\nexample, OCIO created a POA&M in July 2012 to address the lack of two-factor authentication\nfor accessing the network devices. However, work on the plan of action was still in progress, as\nAT&T had not yet fully implemented a two-factor solution. Once they became aware that the\nDLP was a Telecomm task order requirement, OCIO officials began working on a resolution via\na formal dispute with AT&T, after which they hope to get a data loss prevention solution\nimplemented.\n\nOCIO, the CO, and the COR need to improve their internal processes for overseeing task orders\nand enforcing the task order requirements. OCIO needs to work with AT&T to strengthen the\nUTN\xe2\x80\x99s security measures to meet DR and task order terms. The CO and COR should be\nincluded on all communications with AT&T regarding changes/disputes/lack of performance. In\naddition, USDA is paying for Telecomm task order services that have not been provided. USDA\nshould research and, if applicable, seek reimbursement from AT&T for required services USDA\nis paying for, but that AT&T has not provided. The CO must ensure that AT&T meets its\ncontractual obligations within establish timeframes, as specified in the task order; if not met,\npenalties should be assessed.\n\nRecommendation 10\nOPPM needs to develop and implement procedures for reassigning contracts and task orders to\nits COs to ensure they are provided relevant materials, understand their responsibilities, and\nmonitor contractor performance.\n\n\n\n                                                            AUDIT REPORT 88501-0002-12           13\n\x0cAgency Response\n\nIn the audit report response, dated May 21, 2014, OPPM POD stated it accepts this\nrecommendation. POD will establish an Acquisition Operating Procedure to address the\nreassignment of solicitations and contracts. Completion Date: July 31, 2014.\n\nOIG Position\nWe accept OPPM\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 11\n\nThe CO needs to inform all parties that correspondence or discussions regarding task order\nchanges/disputes/lack of performance are the sole responsibility of the CO.\n\nAgency Response\nOPPM POD accepts this recommendation. The CO assigned to the contract will issue a letter\nto the COR and the Contractor reiterating that the CO has the sole authority to obligate the\nGovernment by awarding and modifying contracts. Completion Date: April 30, 2014.\n\nOIG Position\n\nWe accept OPPM\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 12\nOPPM and OCIO need to research and, if applicable, seek reimbursement for unimplemented\ncontract services USDA is paying for, but that AT&T has not provided.\n\nAgency Response\n\nOPPM POD and OCIO ENS accept this recommendation. ENS will work with POD to\nresearch and if applicable, seek reimbursements for unimplemented contract services.\nCompletion Dates: September 30, 2014.\n\nOIG Position\n\nWe accept OPPM and OCIO\xe2\x80\x99s management decision for this recommendation.\n\n\n\n\n14    AUDIT REPORT 88501-0002-12\n\x0cRecommendation 13\n\nOPPM should require AT&T to meet its contractual obligations and establish timeframes for\nAT&T to be in compliance with the terms of the Telecomm task order or take appropriate action\nif requirements are not met in a timely manner.\n\nAgency Response\n\nOPPM POD accepts this recommendation. The CO and COR will complete a contract\ncompliance review and identify those contract requirements that are currently not being\nperformed. The CO will notify the Contractor of any non-compliance and request a corrective\naction plan. Completion Date: October 31, 2014.\n\nOIG Position\n\nWe accept OPPM\xe2\x80\x99s management decision for this recommendation.\n\n\n\n\n                                                          AUDIT REPORT 88501-0002-12          15\n\x0cSection\xc2\xa02:\xc2\xa0\xc2\xa0Billing\xc2\xa0Process\xc2\xa0\nFinding 3: OCIO Needs to Reconcile UTN Expenditures More Effectively\nOCIO management does not ensure that its telecommunications office performs an adequate\nbilling reconciliation of UTN charges on a monthly basis. While the office does have procedures\nin place for reconciliation, we found that the procedures were inadequate and outdated. Also, the\ntelecommunication mission area control officer (TMACO) in the Telecom Management &\nGovernance Division of the ENS did not follow procedures for billing disputes and did not\nadequately perform billing reconciliations, as required in the Telecomm task order and by\nDR 3300-020.14 This occurred because the Telecomm Management & Governance Division\nprocedures did not specify how to perform a detailed reconciliation. The TMACO was unable to\nclearly explain how to perform monthly billing reconciliations and other related issues. As a\nresult, when AT&T completed an audit in 2012, it found USDA had been both overbilled and\nunder-billed for an aggregate total of more than $1.9 million. We analyzed AT&T invoices\ntotaling $16,848,283 from May15 of 2011 to March of 2013. As a result, we noted that even after\nOCIO became aware of the problem, it did not fix the billing discrepancies and AT&T continued\nto overbill almost $90,000 in subsequent months. We also noted that OCIO did not follow\nthe task order guidelines for filing billing disputes, and did not seek appropriate reimbursement.\n\nDR 3300-020 specifies that the TMACO will establish a process to review usage and billing of\ntelecommunication resources to ensure compliance with Departmental and other policies and\nguidelines. Additionally, the regulations state that agency TMACOs will have a broad\nunderstanding of the policies, principles, and financial management processes for\ntelecommunications, as defined by USDA. The GSA Networx contract states that formal billing\ndisputes should be filed for any questionable billing errors.\n\n        Overcharges\xe2\x80\x94At the direction of OCIO, AT&T conducted an internal billing audit in\n        2012 and discovered that it had both overbilled and under-billed USDA, for an aggregate\n        total of over $1.9 million in overcharges. The billing errors included services\n        with recurring monthly charges that should have been one-time only charges. AT&T\n        returned the money when the audit was concluded. After learning of the overcharges, we\n        analyzed OCIO\xe2\x80\x99s billing processes and subsequent months\xe2\x80\x99 bills. We found that OCIO\n        was still not performing a sufficient and effective reconciliation. The same recurring\n        charges continued 2 months after the internal audit was issued, resulting in overbilled\n        amounts totaling $89,719.58. OCIO was unaware of these overcharges; as of July 2013,\n        OCIO had not made a formal dispute or reimbursement request. The TMACO stated\n        that, due to a lack of staff resources, he does not have time to do an extensive billing\n        review every month.\n\n\n\n14\n   DR 3300-020, Telecommunications Mission and Control Officer (TMACO)-Roles and Responsibilities,\nAugust 30, 2010.\n15\n   A charge in March of 2011 was the very first expenditure made against the Networx task order on the first invoice\nof May 1, 2011, for USDA OCIO.\n\n\n16     AUDIT REPORT 88501-0002-12\n\x0c        We also found that OCIO did not follow the terms of the Telecomm task order and did\n        not file a billing dispute for the $1.9 million through the formal task order management\n        system. This occurred because ENS and AT&T circumvented the CO and Telecomm\n        task order terms and agreed to an informal billing inquiry, instead of utilizing Business\n        Direct, which is the formal process for resolving billing issues in the Telecomm task\n        order.16 We believe that, despite already receiving reimbursement, OCIO should file a\n        formal dispute in Business Direct, which serves as the designated tracking system for all\n        disputes and transition credits.17 Without having access to proper data on such a large\n        overcharge, GSA may not be able to gauge the effectiveness of AT&T\xe2\x80\x99s billing process.\n\n        Credit Reimbursements\xe2\x80\x94When there is a UTN outage, USDA is eligible for a credit\n        for the time services were unavailable. When we examined two outages18 that occurred\n        in January and May of 2013, we calculated that USDA was due a total reimbursement\n        of $42,968. However, we found the TMACO did not know about the outages and had\n        not submitted credit requests. After we identified this issue, OCIO took action to collect\n        these credits.\n\n        OCIO claimed it had requested reimbursements for two system outages that occurred in\n        March 2012, with credits totaling $19,335, and received the requested funds.\n        However, OIG could not verify that the correct dollar amounts had been reimbursed, as\n        the Business Direct system did not show the details of the reimbursement. This occurred\n        because AT&T provides payments for a variety of services and equipment, which\n        sometimes include reimbursements, as lump sums within Business Direct. Therefore,\n        both entities were unable to provide specific documentation for the $19,335, which did\n        not allow us to confirm that the proper amount had been reimbursed.\n\nThe TMACO and another IT specialist are overseen by the Director of a three-person group.\nThe TMACO is responsible for performing billing reconciliation, but does not have any financial\nanalysis or other billing-related job duties in his position description. When we discussed these\nissues with OCIO, the Director stated that the office did not perform reconciliations and, instead,\nused estimates to track monthly charges. We found that the estimates prepared did not match the\nactual charges over the year-long period we reviewed. OCIO acknowledged that this approach\nwas a problem, sought clarification from AT&T on the recent overcharges, and reported that it is\nnow implementing a Telecommunications Expense Management System that will aid in the\nreconciliation process.\n\nWithout adequate oversight and a detailed reconciliation process in place, OCIO cannot ensure\nexpenditures are correct and properly managed. OCIO has the fiscal responsibility to ensure that\nmonthly bills are properly reviewed, and USDA is not unfairly charged for services that are not\nbeing provided. In particular, the TMACO\xe2\x80\x99s roles and responsibilities should be further clarified\n\n16\n   Business Direct is a secure, web-based portal providing access to ordering, billing, and maintenance tools.\n17\n   Transition Credit Reimbursement is defined as the reimbursement of certain Agency-incurred expenses associated\nwith the transition from FTS2001 to the Networx contract.\n18\n   An outage is a telecommunication service condition wherein a user is deprived of service due to a malfunction of\nthe contractor\xe2\x80\x99s communication system.\n\n                                                                        AUDIT REPORT 88501-0002-12              17\n\x0cto ensure that the person in the position is fully capable of performing billing reconciliation or\nthe TMACO\xe2\x80\x99s position description needs to be modified at ENS. It is imperative that someone\nperforms the billing reconciliation.\n\nRecommendation 14\nOCIO needs to update the TMACO\xe2\x80\x99s job description in accordance with Departmental\nRegulations. The position\xe2\x80\x99s responsibilities and required knowledge should include an\nunderstanding of financial management and billing processes. In addition, ensure the TMACO\nhas the training necessary, so that adequate billing reconciliations can be performed.\n\nAgency Response\n\nIn the audit response, dated May 21, 2014, OCIO ENS stated that it accepts this\nrecommendation. ENS will update the TMACO job description in accordance with\nDepartmental Regulations. ENS will ensure the TMACO receives appropriate training to\nsupport performance of assigned financial management and billing reconciliation duties. ENS\nwill provide artifacts to support completion of this recommendation. Completion Date:\nDecember 31, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 15\nOCIO needs to establish procedures requiring that the UTN bills be reviewed and reconciled\nmonthly. A manager needs to review the monthly billing reconciliations for accuracy, and then\ninitial and date them to indicate that the bills are accurate and reviewed timely.\n\nAgency Response\nOCIO ENS accepts this recommendation. Currently:\n\n     ENS performs a manual reconciliation of monthly billing including validation of charges\n     against ATQs [Acquisition to Quotes] to ensure correctness of new services ordered and\n     received. A manager will review the monthly billing reconciliation for accuracy, sign and\n     date to signify acceptance, and record results in a tracking log. The documented procedures\n     will be updated to reflect the revised process. Completion Date: June 30, 2014.\n\n     ENS has contracted with a third-party vendor to design and develop the\n     Telecommunications Expense Management (TEM) system to automate expense\n     management processes for USDA. Phase I includes reporting and an executive dashboard\n     that support manual billing reconciliation; Phase II will include automated validation of\n     ATQs against billed services to streamline the reconciliation process. When the TEM\n\n18     AUDIT REPORT 88501-0002-12\n\x0c   system is deployed, the documented procedures will be updated to reflect the new\n   processes. Management review and approval will continue to be a part of the monthly\n   reconciliation procedure for the new TEM system. Completion Dates: Phase I, July\n   31 [, 2014 and]/ Phase II, December 31, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 16\nOCIO needs to require that all billing disputes are submitted in accordance with the terms of the\nNetworx contract.\n\nAgency Response\nOCIO ENS accepts this recommendation. ENS will implement an internal policy directing that\nall disputes be filed in the Business Direct portal. ENS will provide artifacts to support\ncompletion of this recommendation. Completion Date: June 30, 2014.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 17\nOCIO needs to submit a billing dispute to Business Direct for the $1,916,667.88 in billing errors\nthat were discovered by AT&T in 2012, so that this transaction is tracked.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. In 2012, ENS submitted a request for AT&T to\ninvestigate the overbilling of DMRC [Device Monthly Recurring Charge] CLINs [Contract\nLine Item Numbers] at multiple locations; since the request was submitted by email, a single\ndispute ticket was not generated. When adjustments were processed (September 1, 2012 bill),\napproximately 950 dispute numbers were generated for the individual CLINs/locations. ENS\nwill provide list of the dispute numbers related to the $1,916,667.88 net adjustment to support\ncompletion of this recommendation. Completion Date: June 30, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\n\n\n\n                                                             AUDIT REPORT 88501-0002-12           19\n\x0cRecommendation 18\nOCIO needs to confirm reimbursements were received for the $89,719.58 in overcharges.\n\nAgency Response\nOCIO ENS accepts this recommendation. ENS confirmed receipt of adjustments for $89,719.58\novercharges and will provide artifacts to support completion of this recommendation. The\ndocumented billing review process includes tracking of billing disputes from filing in Business\nDirect through verification of adjustment as part of the monthly billing reconciliation and\nmanagement validation. Completion Date: June 30, 2014.\n\nOIG Position\nWe are unable to reach management decision based on OCIO\xe2\x80\x99s response. In order to reach\nmanagement decision per DR 1720-1, OCIO needs to provide evidence that receivables for the\novercharged amounts were established and a bill of collection was issued to the contractor.\n\nRecommendation 19\nOCIO needs to develop and implement a periodic supervisory review process to monitor system\noutages and ensure that any appropriate credit requests are submitted to AT&T. Requested\ncredits should be tracked to determine whether they have been reimbursed.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS will provide artifacts to demonstrate the\nestablished process for reviewing monthly AT&T SLA [Service Level Agreement] reports.\nThe documented SLA review process includes tracking of SLA Credit requests from filing\nthrough verification of adjustments as part of the monthly billing reconciliation and\nmanagement validation. Completion Date: June 30, 2014.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\nRecommendation 20\nOCIO needs to confirm reimbursements were received for the $42,968 system outage credits\nidentified.\n\nAgency Response\n\nOCIO ENS accepts this recommendation. ENS confirmed receipt of all eligible credit\nadjustments and will provide artifacts to demonstrate completion of this recommendation. The\n\n20    AUDIT REPORT 88501-0002-12\n\x0cdocumented SLA review process includes tracking of SLA Credit requests from filing through\nverification of adjustments as part of the monthly billing reconciliation and management\nvalidation. Completion Date: June 30, 2014.\n\nOIG Position\nWe are unable to reach management decision based on OCIO\xe2\x80\x99s response. In order to reach\nmanagement decision per DR 1720-1, OCIO needs to provide evidence that receivables for the\novercharged amounts were established and a bill of collection was issued to the contractor.\n\n\nRecommendation 21\nOCIO needs to request that AT&T provide a detailed statement that includes information for\neach of the individual credits in any lump sum payment.\n\n\nAgency Response\nOCIO ENS accepts this recommendation. ENS will provide sample reports from Business\nDirect that show a detailed break-down of the credit adjustments, along with their associated\nCLINs and billing periods, as artifacts to support completion. The documented billing review\nand SLA review processes includes tracking of billing disputes and SLA credit requests from\nfiling through verification of adjustments as part of the monthly billing reconciliation and\nmanagement validation. Completion Date: June 30, 2014.\n\nOIG Position\n\nWe accept OCIO\xe2\x80\x99s management decision for this recommendation.\n\n\n\n\n                                                            AUDIT REPORT 88501-0002-12          21\n\x0cScope\xc2\xa0and\xc2\xa0Methodology\xc2\xa0\nOur audit reviewed selected UTN control objectives specified in the Telecomm task order and\nOCIO\xe2\x80\x99s related policies and procedures, to determine if they were suitably designed and if they\nconformed to the minimum security requirements mandated by NIST SP 800-53 Revision 3,\nRecommended Security Controls for Federal Information Systems and Organizations. Audit\nfieldwork ran from December 2012 through August 2013. The audit scope focused on OCIO\xe2\x80\x99s\nmanagement and security over USDA\xe2\x80\x99s UTN and OPPM\xe2\x80\x99s management of the task order.\nBecause OCIO procured AT&T\xe2\x80\x99s services, our audit scope needed to include OPPM\xe2\x80\x99s\nadministration of the task order. We obtained invoices and financial documents from the\nbeginning of the Telecomm task order in July 2010 through February 2013. Site visits were\nmade to Ft. Collins, Colorado; San Francisco, California; and Washington, D.C.; TIC locations\nand selected CER locations (Albany, California; Beltsville, Maryland; Denver, Colorado; Kansas\nCity, Missouri; and multiple locations in Washington, D.C.).\n\nWe tested Departmental records and third-party task orders, interviewed OCIO, OPPM, and\nAT&T personnel, and used computer-aided auditing techniques. We performed tests of the\nUTN\xe2\x80\x99s controls to determine if they were operating with sufficient effectiveness to provide\nreasonable assurance that specified control objectives were achieved. AT&T and OCIO\nprovided all invoices for the period of the Telecomm task order. We also analyzed the task order\nand related expenditures. AT&T provided a list of invoices from May of 2011 to March of 2013\ntotaling $16,848,283 for the Telecomm task order. We performed analysis of all invoices to\nidentify if funds were properly managed, expended, and monitored.\n\nAs specified in the findings of this report, we used various DRs and manuals related to\nIT security and Governmentwide publications, such as Federal Information Processing\nStandards, NIST, and OMB Circulars, as guidelines for this review. As deemed necessary,\nvarious software products were used to evaluate IT security.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n22    AUDIT REPORT 88501-0002-12\n\x0cAbbreviations\xc2\xa0\n\nATQ ............................ Acquistion to Quote\nCER ............................. Customer Edge Router\nCLIN ........................... Contract Line Item Numbers\nCO ............................... Contracting Officer\nCOR ............................ Contracting Officer\xe2\x80\x99s Representative\nDLP ............................. Data Loss Prevention\nDMRC ......................... Device Monthly Recurring Charge\nDR ............................... Departmental Regulations\nENS ............................. Enterprise Network Services\nFISMA ........................ Federal Information Security Management Act\nGSA............................. General Services Administration\nGAO ............................ Government Accountability Office\nIPS ............................... Intrusion Prevention System\nISSPM ......................... Information Systems Security Program Manager\nMTIPS ......................... Managed Trusted Internet Protocol Service\nNIST ............................ National Institute of Standards and Technology\nOCFO .......................... Office of the Chief Financial Officer\nOCIO ........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nOPPM.......................... Office of Procurement and Property Management\nPOA&M ...................... Plan of Action and Milestones\nPOD............................. Procurement Operations Division\nSLA ............................. Service Level Agreement\nSP ................................ Special Publication\nTelecomm ................... Telecommunications\nTIC .............................. Trusted Internet Connection\nTMACO ...................... Telecommunications Mission Area Control Officer\nURL............................. Uniform Resource Locator\nUSDA.......................... Department of Agriculture\nUTN ............................ Universal Telecommunications Network\nVPN............................. Virtual Private Network\n\n\n\n\n                                                                 AUDIT REPORT 88501-0002-12   23\n\x0cEXHIBIT\xc2\xa0A\xe2\x80\x94Summary\xc2\xa0of\xc2\xa0Monetary\xc2\xa0Results\xc2\xa0\n\nExhibit A summarizes the monetary results for our audit report by finding and recommendation\nnumber.\n\nFinding       Recommendation           Description             Amount          Category\nNumber\n     3              18         AT&T had overbilled             $89,719       Questioned\n                               USDA. The billing errors                     Cost, Recovery\n                               included services with                       Recommended\n                               recurring monthly charges\n                               that should have been one-\n                               time charges.\n     3              20         USDA did not submit credit      $42,968       Questioned\n                               requests for two outages                     Cost, Recovery\n                               that occurred in January and                 Recommended\n                               May of 2013.\n Total                                                         $132,687\n\n\n\n\n24       AUDIT REPORT 88501-0002-12\n\x0cEXHIBIT\xc2\xa0B\xe2\x80\x94Prior\xc2\xa0Audit\xc2\xa0Recommendations\xc2\xa0\n\nFollowup Review of Recommendations from OIG Audit Report 88501-0006-FM,\nAugust 2006\nRecommendation19                                               Conclusion\n3. Establish a plan, with specific completion                  OCIO implemented security measures in\ndates, when security measures under UTN will                   accordance with the previous statement of\nbe designed and implemented effectively.                       work. However, new requirements have\n                                                               identified the following security measures\n                                                               that still need to be implemented: VPN, IPS,\n                                                               DLP, and Two-factor Authentication.\n4. Ensure that the gateway firewalls deny all                  OCIO did implement the Deny All Rule.\ntraffic that is not specifically allowed, and                  However, OCIO did not periodically review\nestablish controls to ensure that firewall rule                or synchronize the firewalls and website\nchanges are authorized and adequately                          filters at the two TIC locations, so they are\ncontrolled.                                                    still not adequately controlled.\n5. Establish a plan, with specific completion                  Implemented\xe2\x80\x94During two failovers in\ndates, when the UTN gateways will be designed                  2013, the bandwidth capacity was sufficient\nto handle the USDA traffic with adequate                       to avoid a total shutdown. However, peak\nfailover capabilities.                                         Internet traffic during the failovers reached\n                                                               approximately 98 percent and 92 percent of\n                                                               the available bandwidth. During the course\n                                                               of this audit OCIO stated it has increased\n                                                               the bandwidth of the communications lines.\n\n\n\n\n19\n     Recommendation 1 and 2 in the prior audit was not covered because they were outside the scope of this audit.\n\n                                                                          AUDIT REPORT 88501-0002-12                25\n\x0c26   AUDIT REPORT 88501-0002-12\n\x0cAgency's\xc2\xa0Response\xc2\xa0\n\n\n\n\n                USDA\xe2\x80\x99S\n   OFFICE OF THE CHIEF INFORMATION\n               OFFICER\n                  and\n     OFFICE OF PROCUREMENT AND\n        PROPERTY MANAGEMENT\n         RESPONSE TO AUDIT REPORT\n\n\n\n\n                         AUDIT REPORT 88501-0002-12   27\n\x0c\x0c                                       United States Department of Agriculture\n\n\n\nDepartmental          TO:               Gil H. Harden\nManagement\n                                        Assistant Inspector General for Audit\nOffice of the Chief                     Office of Inspector General\nInformation Officer\n\n1400 Independence     FROM:             Cheryl L. Cook /s/        May 21,2014\nAvenue S.W.                             Chief Information Officer\nWashington, DC\n20250                                   Office of the Chief Information Officer\n\n                                        Lisa M. Wilusz /s/\n                                        Director\n                                        Office of Procurement and Property Management\n\n                       SUBJECT:         \xe2\x80\x9cManagement and Security over USDA\xe2\x80\x99s Universal\n                                        Telecommunications Network\xe2\x80\x9d OIG Report # 88501-0002-12\n\n\n                      The Office of the Chief Information Officer (OCIO) and the Office of Procurement\n                      and Property Management (OPPM) submits the following response to your\n                      memorandum of February 12, 2014 to provide the status of our progress in carrying\n                      out Recommendations 1 through 21.\n                      Recommendation 1\n                      OCIO needs to ensure the Information Systems Security Program Manager (ISSPM)\n                      is integrated into all aspects of the UTN project and that all security decisions are\n                      documented.\n                      Agency Response: OCIO Enterprise Network Services (ENS) accepts this\n                      recommendation. ENS will complete a project to ensure the ISSPM is integrated into\n                      all aspects of the UTN with the following milestones:\n                         \xef\x82\xb7   ENS will establish a policy to define the ISSPM role within the UTN change\n                             management process, related projects and POA&M management, and ensure all\n                             security decisions are documented.\n                             Target Completion Date: July 30, 2014\n                         \xef\x82\xb7   ENS Contracting Officer Representative (COR) will prepare language changes\n                             and request the OPPM POD Contracting Officer (CO) modify the AT&T\n                             Networx contract to establish a project plan that will incorporate the ISSPM into\n                             all phases of UTN management requiring ISSPM review and/or approval.\n                             Target Completion Date: July 30, 2014\n                         \xef\x82\xb7   ENS will oversee the completion of the implementation of a Change\n                             Management Procedure consistent with the new ISSPM policy.\n                             Target Completion Date: September 30, 2014\n\n\n\n                      AN EQUAL OPPORTUNITY EMPLOYER\n\x0cRecommendation 2\nOCIO needs to develop, document, and implement procedures to ensure that a\nsecurity impact analysis is performed on all changes and to the Universal\nTelecommunications Network (UTN) services prior to implementation.\nAgency Response: OCIO ENS accepts this recommendation. ENS will complete a\nproject to ensure a security impact analysis is performed on all changes to the UTN\nwith the following milestones:\n   \xef\x82\xb7   ENS will modify the Change Management Procedure for the UTN to integrate a\n       security impact analysis.\n       Target Completion Date: July 30, 2014\n   \xef\x82\xb7   The ENS COR will prepare language changes and request the OPPM POD CO\n       modify the AT&T Networx contract to incorporate the revised change\n       management procedure in the contract deliverables.\n       Target Completion Date: September 30, 2014\n\n\nRecommendation 3\nOCIO needs to develop and implement procedures to synchronize the firewall rule\nsets and website filters so that consistency is maintained at the two trusted internet\nconnections (TIC) locations. Review the rule sets and filters, on a routine basis, at\nleast annually, and automate the procedures for better continuous monitoring.\nAgency Response: OCIO ENS accepts this recommendation. ENS will complete a\nproject to address the recommendations regarding the accuracy of the security\npolicies and ongoing maintenance with the following milestones:\n   \xef\x82\xb7   ENS will implement a Security Policy Verification procedure and a URL Filter\n       Exception procedure to ensure security policies are consistent across the UTN,\n       and continuous monitoring in place that will review rule sets and filters at least\n       annually to ensure all security policies remain consistent and relevant to the\n       USDA mission.\n       Target Completion Date: November 30, 2014\n   \xef\x82\xb7   ENS will recertify all existing URL filtering exceptions requested by the\n       Agencies to date.\n       Target Completion Date: April 15, 2015\n\n\nRecommendation 4\nOCIO needs to develop and implement controls, including discovery scans, to ensure\nall network devices are scanned on a monthly basis. In addition, develop and\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cimplement a process to timely remediate vulnerabilities and apply software patches\naccording to Departmental guidance.\nAgency Response: OCIO ENS accepts this recommendation. ENS will complete a\nproject to ensure adequate security controls are in place regarding discovery and\nvulnerability scans, including remediation, for the UTN with the following\nmilestones:\n   \xef\x82\xb7   ENS will establish a Security Discovery, Scanning, and Remediation Procedure\n       to address all processes mentioned in the OIG recommendation.\n       Target Completion Date: July 30, 2014\n       The ENS COR will prepare language changes and request the OPPM POD CO\n       to modify the AT&T Networx contract to incorporate the Security Discovery,\n       Scanning, and Remediation procedure as part of the contract performance.\n       Target Completion Date: October 30, 2014\n\n\nRecommendation 5\nOCIO needs to develop and implement the minimum physical and environmental\ncontrols required for each UTN site based upon the security risk and priority of the\nsite.\nAgency Response: OCIO ENS accepts this recommendation. ENS will complete a\nproject to ensure UTN sites meet the minimum physical and environment controls\nwith the following milestones:\n   \xef\x82\xb7   ENS will evaluate and select one of two courses of action to address the\n       recommendation. OCIO management will approve either the replacement of the\n       current Internet Service with an existing MTIPS service that meets all\n       recommendations, or to bring the current Internet Service in compliance with\n       the contract.\n       Target Completion Date: December 30, 2014\n   \xef\x82\xb7   The ENS COR will prepare language changes and request the OPPM POD CO\n       to modify the AT&T Networx contract to request a technical solution for the\n       course of action selected. ENS will complete all acquisition and contracting\n       activities necessary to fund and initiate the plan.\n       Target Completion Date: July 30, 2015\n   \xef\x82\xb7   ENS will evaluate the proposed technical solution and the ENS COR will work\n       with the OPPM POD Contracting Officer to negotiate the award of the final\n       technical solution.\n       Target Completion Date: December 30, 2015\n   \xef\x82\xb7   ENS will oversee the completion of construction and development of the final\n       technical solution.\n       Target Completion Date: June 30, 2016\n   \xef\x82\xb7   ENS will complete Agency transition to the final technical solution.\n       Target Completion Date: January 30, 2017\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cRecommendation 6\nOCIO needs to develop and implement procedures to perform disaster\nrecovery/failover tests, at least annually.\nAgency Response: OCIO ENS accepts this recommendation. ENS has completed a\ndisaster recovery test of the TIC portals and will continue to do so annually. ENS\nwill provide supporting artifacts to OIG to demonstrate completion of the disaster\nrecovery test and provide updated procedure documentation to ensure the annual\ncompletion of the testing.\nCompletion Date: March 15, 2014\n\n\nRecommendation 7\nOCIO needs to develop and implement oversight procedures for inventory\nmanagement.\nAgency Response: OCIO ENS accepts this recommendation. ENS will establish a\nprocedure for oversight of UTN inventory managed by contractors.\nTarget Completion Date: October 31, 2014\n\n\nRecommendation 8\nOCIO needs to develop and implement a plan to remove and purge unused equipment\nfrom the UTN infrastructure.\nAgency Response: OCIO ENS accepts this recommendation. ENS has completed\nthe removal and purge of unused equipment within the UTN TIC infrastructure. ENS\nwill provide supporting artifacts to OIG to demonstrate completion.\nCompletion Date: December 19, 2013\n\n\nRecommendation 9\nOCIO and OPPM need to develop and implement procedures to ensure all personnel\nworking on the Telecomm task order are identified and have the required background\ninvestigation.\nAgency Response: OCIO ENS and OPPM POD accept this recommendation. ENS\nwill recommend to the OPPM POD Contracting Officer to implement a project that\nensures all personnel working on the UTN task order are identified and have\ncompleted all required background checks with the following milestones:\n   \xef\x82\xb7   ENS COR will prepare language changes and request the OPPM POD CO\n       modify the AT&T Networx contract to establish a UTN Contractor\n       Investigation procedure with AT&T.\n       Target Completion Date: December 30, 2014\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0c   \xef\x82\xb7   ENS will complete the identification and investigation of all contractor staff\n       working under the telecom task order.\n       Target Completion Date: April 15, 2015\n\n\nRecommendation 10\nOPPM needs to develop and implement procedures for re-assigning contracts and\ntask orders to contracting officers (CO) to ensure each is provided relevant materials,\nunderstands their responsibilities, and monitors the contractor\xe2\x80\x99s performance.\nAgency Response: OPPM POD accepts this recommendation. POD will establish\nan Acquisition Operating Procedure to address the reassignment of solicitations and\ncontracts.\nTarget Completion Date: July 31, 2014\n\n\nRecommendation 11\nThe CO needs to inform all parties that correspondence or discussions regarding task\norder changes/disputes/lack of performance are the sole responsibility of the CO.\nAgency response: OPPM POD accepts this recommendation. The Contracting\nOfficer assigned to the contract will issue a letter to the Contracting Officer\nRepresentative and the Contractor reiterating that the Contracting Officer has the sole\nauthority to obligate the government by awarding and modifying contracts.\nTarget Completion Date: April 30, 2014\n\n\nRecommendation 12\nOPPM and OCIO need to research and, if applicable, seek reimbursement for\nunimplemented contract services that USDA is paying for, but AT&T has not\nprovided.\nAgency Response: OPPM POD and OCIO ENS accept this recommendation. ENS\nwill work with POD to research and if applicable, seek reimbursements for\nunimplemented contract services.\nTarget Completion Dates: September 30, 2014\n\n\nRecommendation 13\nOPPM should require AT&T to meet its contractual obligations and establish\ntimeframes for AT&T to be in compliance with the terms of the Telecomm task order\nor take appropriate action if requirements are not met in a timely manner.\nAgency Response: OPPM POD accepts this recommendation. The Contracting\nOfficer and Contracting Officer Representative will complete a contract compliance\nreview and identify those contract requirements that are currently not being\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cperformed. The Contracting Officer will notify the Contractor of any non-compliance\nand request a corrective action plan.\nTarget Completion Date: October 31, 2014\n\n\nRecommendation 14\nOCIO needs to update the telecommunication mission area control officer\xe2\x80\x99s\n(TMACO) job description in accordance with Departmental Regulations. The\nposition\xe2\x80\x99s responsibilities and required knowledge should include an understanding of\nfinancial management and billing processes. In addition, ensure the official\nresponsible for this function has the training necessary, so they can adequately\nperform billing reconciliations.\nAgency Response: OCIO ENS accepts this recommendation. ENS will update the\nTMACO job description in accordance with Departmental Regulation. ENS will\nensure the TMACO receives appropriate training to support performance of assigned\nfinancial management and billing reconciliation duties. ENS will provide artifacts to\nsupport completion of this recommendation.\nTarget Completion Date: December 31, 2014\n\n\nRecommendation 15\nOCIO needs to establish procedures requiring that the UTN bills be reviewed and\nreconciled monthly. A manager needs to review the monthly billing reconciliations\nfor accuracy and then initial and date them to ensure and indicate that the bills are\naccurate and reviewed timely.\nAgency Response: OCIO ENS accepts this recommendation.\n   \xef\x82\xb7   Currently, ENS performs a manual reconciliation of monthly billing including\n       validation of charges against ATQs to ensure correctness of new services\n       ordered and received. A manager will review the monthly billing reconciliation\n       for accuracy, sign and date to signify acceptance, and record results in a\n       tracking log. The documented procedures will be updated to reflect the revised\n       process.\n       Target Completion Date: June 30, 2014\n   \xef\x82\xb7   ENS has contracted with a third-party vendor to design and develop the\n       Telecommunications Expense Management (TEM) system to automate expense\n       management processes for USDA. Phase I includes reporting and an executive\n       dashboard that support manual billing reconciliation; Phase II will include\n       automated validation of ATQs against billed services to streamline the\n       reconciliation process. When the TEM system is deployed, the documented\n       procedures will be updated to reflect the new processes. Management review\n       and approval will continue to be a part of the monthly reconciliation procedure\n       for the new TEM system.\n       Target Completion Dates: Phase I, July 31/Phase II, December 31, 2014\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cRecommendation 16\nOCIO needs to require that all billing disputes are submitted in accordance with the\nterms of the Networx contract.\nAgency Response: OCIO ENS accepts this recommendation. ENS will implement\nan internal policy directing that all disputes be filed in the Business Direct portal.\nENS will provide artifacts to support completion of this recommendation.\nTarget Completion Date: June 30, 2014\n\n\nRecommendation 17\nOCIO needs to submit a billing dispute to Business Direct for the $1,916,667.88 in\nbilling errors that were discovered by AT&T in 2012, so that this transaction is\ntracked.\nAgency Response: OCIO ENS accepts this recommendation. In 2012, ENS\nsubmitted a request for AT&T to investigate the overbilling of DMRC CLINs at\nmultiple locations; since the request was submitted by email, a single dispute ticket\nwas not generated. When adjustments were processed (9/1/12 bill), approximately\n950 dispute numbers were generated for the individual CLINs/locations. ENS will\nprovide list of the dispute numbers related to the $1,916,667.88 net adjustment to\nsupport completion of this recommendation.\nTarget Completion Date: June 30, 2014\n\n\nRecommendation 18\nOCIO needs to confirm reimbursements were received for the $89,719.58 in\novercharges.\nAgency Response: OCIO ENS accepts this recommendation. ENS confirmed receipt\nof adjustments for $89,719.58 overcharges and will provide artifacts to support\ncompletion of this recommendation. The documented billing review process includes\ntracking of billing disputes from filing in Business Direct through verification of\nadjustment as part of the monthly billing reconciliation and management validation.\nTarget Completion Date: June 30, 2014\n\n\nRecommendation 19\nOCIO needs to develop and implement a periodic supervisory review process to\nmonitor system outages and ensure that any appropriate credit requests are submitted\nto AT&T. Requested credits should be tracked to determine whether they have been\nreimbursed.\nAgency Response: OCIO ENS accepts this recommendation. ENS will provide\nartifacts to demonstrate the established process for reviewing monthly AT&T SLA\nreports. The documented SLA review process includes tracking of SLA Credit\nrequests from filing through verification of adjustments as part of the monthly billing\nreconciliation and management validation.\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cTarget Completion Date: June 30, 2014\n\n\nRecommendation 20\nOCIO needs to confirm reimbursements were received for the $42,968 system outage\ncredits identified.\nAgency Response: OCIO ENS accepts this recommendation. ENS confirmed\nreceipt of all eligible credit adjustments and will provide artifacts to demonstrate\ncompletion of this recommendation. The documented SLA review process includes\ntracking of SLA Credit requests from filing through verification of adjustments as\npart of the monthly billing reconciliation and management validation.\nTarget Completion Date: June 30, 2014\n\n\nRecommendation 21\nOCIO needs to request that AT&T provide a detailed statement that includes\ninformation for each of the individual credits in any lump sum payment.\nAgency Response: OCIO ENS accepts this recommendation. ENS will provide\nsample reports from Business Direct that show a detailed break-down of the credit\nadjustments, along with their associated CLINs and billing periods, as artifacts to\nsupport completion. The documented billing review and SLA review processes\nincludes tracking of billing disputes and SLA credit requests from filing through\nverification of adjustments as part of the monthly billing reconciliation and\nmanagement validation\nTarget Completion Date: June 30, 2014\n\ncc:       Lisa Wilusz, Director, OPPM\n          Jane Bannon, Program Manager, OIG\n          John Donovan, Associate Chief Information Officer, ENS/OCIO\n          Vernelle Archer, Director, TMG/ENS/OCIO\n          Daniel Crosson, Director, AEO/ENS/OCIO\n          Christopher Wren, OCIO Audit Liaison\n          Lennetta Elias, OPPM Audit Liaison\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0c\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste and Abuse\ne-mail: USDA.HOTLINE@oig.usda.gov\nphone: 800-424-9121\nfax: 202-690-2474\n\nBribes or Gratuities\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on\nthe basis of race, color, national origin, age, disability, and where applicable, sex (including gender identity\nand expression), marital status, familial status, parental status, religion, sexual orientation, political beliefs,\ngenetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public\nassistance program. (Not all prohibited bases apply to all programs.) Persons with disabilities who require\nalternative means for communication of program information (Braille, large print, audiotape, etc.) should\ncontact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD).\n\nTo file a complaint of discrimination, write to USDA, Assistant Secretary for Civil Rights, Office of the\nAssistant Secretary for Civil Rights, 1400 Independence Avenue, S.W., Stop 9410, Washington, DC 20250\xc2\xad\n9410, or call toll-free at (866) 632-9992 (English) or (800) 877-8339 (TDD) or (866) 377-8642 (English\nFederal-relay) or (800) 845-6136 (Spanish Federal relay).USDA is an equal opportunity provider and employer.\n\x0c"